# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.

## GitLab
## Modified from https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/support/nginx/gitlab-ssl & https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/support/nginx/gitlab
##
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
##################################
##        CHUNKED TRANSFER      ##
##################################
##
## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
## around this by tweaking this configuration file and either:
## - installing an old version of Nginx with the chunkin module [2] compiled in, or
## - using a newer version of Nginx.
##
## At the time of writing we do not know if either of these theoretical solutions works.
## As a workaround users can use Git over SSH to push large files.
##
## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
## [1] https://github.com/agentzh/chunkin-nginx-module#status
## [2] https://github.com/agentzh/chunkin-nginx-module
##
###################################
##         configuration         ##
###################################

<% if @https && @redirect_http_to_https %>
## Redirects all HTTP traffic to the HTTPS host
server { ## HTTPS redirect server
<% @listen_addresses.each do |listen_address| %>
  listen <%= listen_address %>:<%= @redirect_http_to_https_port %><% if @proxy_protocol %> proxy_protocol<% end %>;
<% end %>

  server_name <%= @fqdn %>;
  server_tokens off; ## Don't show the nginx version number, a security best practice

  <% if @letsencrypt_enable %>
  location /.well-known/acme-challenge/ {
    root <%= @dir %>/www/;
  }
  <% end %>

  location / {
    return 301 https://<%= @fqdn %>:<%= @port %>$request_uri;
  }

  # Pass headers because we are serving monitoring endpoints directly without
  # redirection
  <% @proxy_set_headers.each do |header| %>
  <% next if header[1].nil? || header[1].empty? %>
  proxy_set_header <%= header[0] %> <%= header[1] %>;
  <% end %>

  # health checks configuration
  include <%= @gitlab_health_conf %>;

  access_log  <%= @log_directory %>/gitlab_access.log gitlab_access;
  error_log   <%= @log_directory %>/gitlab_error.log <%= @error_log_level%>;
} ## end HTTPS redirect server
<% end %>

server { ## HTTPS server
<% @listen_addresses.each do |listen_address| %>
  listen <%= listen_address %>:<%= @listen_port %><% if @proxy_protocol %> proxy_protocol<% end %><% if @https %> ssl<% if @http2_enabled %> http2<% end %><% end %>;

  <% if @kerberos_enabled && @kerberos_use_dedicated_port %>
  listen <%= listen_address %>:<%= @kerberos_port %><% if @kerberos_https %> ssl<% end %>;
  <% end %>

<% end %>
  server_name <%= @fqdn %>;
  server_tokens off; ## Don't show the nginx version number, a security best practice

  ## Increase this if you want to upload large attachments
  ## Or if you want to accept large git objects over http
  client_max_body_size <%= @client_max_body_size %>;

  <% if @https %>
  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  ssl_certificate <%= @ssl_certificate %>;
  ssl_certificate_key <%= @ssl_certificate_key %>;
  <% if @ssl_client_certificate %>
  ssl_client_certificate <%= @ssl_client_certificate%>;
  <% end %>
  <% if @ssl_verify_client %>
  ssl_verify_client <%= @ssl_verify_client%>;
  ssl_verify_depth <%= @ssl_verify_depth%>;
  <% end %>

  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
  ssl_ciphers '<%= @ssl_ciphers %>';
  ssl_protocols  <%= @ssl_protocols %>;
  ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
  ssl_session_cache  <%= @ssl_session_cache %>;
  ssl_session_tickets <%= @ssl_session_tickets %>;
  ssl_session_timeout  <%= @ssl_session_timeout %>;

  <% if @ssl_dhparam %>
  ssl_dhparam <%= @ssl_dhparam %>;
  <% end %>

  <% if @ssl_password_file %>
  ssl_password_file '<%= @ssl_password_file %>';
  <% end %>
  <% end %>

  ## Real IP Module Config
  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
  <% if @real_ip_header %>
  real_ip_header <%= @real_ip_header %>;
  <% end %>
  <% if @real_ip_recursive %>
  real_ip_recursive <%= @real_ip_recursive %>;
  <% end %>
  <% @real_ip_trusted_addresses.each do |trusted_address| %>
  set_real_ip_from <%= trusted_address %>;
  <% end %>

  ## HSTS Config
  ## https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
  <% unless @hsts_max_age.nil? || @hsts_max_age <= 0 %>
  add_header Strict-Transport-Security "max-age=<%= @hsts_max_age -%>
<% if @hsts_include_subdomains %>; includeSubdomains<% end %>";
  <% end %>

  <% if @referrer_policy %>
  # Rails sets a default policy of strict-origin-when-cross-origin, so
  # hide that and just send the one we've configured for nginx
  proxy_hide_header Referrer-Policy;
  add_header Referrer-Policy <%= @referrer_policy %>;
  <% end %>

  ## Individual nginx logs for this GitLab vhost
  access_log  <%= @log_directory %>/gitlab_access.log gitlab_access;
  error_log   <%= @log_directory %>/gitlab_error.log <%= @error_log_level%>;

  if ($http_host = "") {
    <% default_host = Nginx.generate_host_header(@fqdn, @port, @https) %>
    set $http_host_with_default "<%= default_host %>";
  }

  if ($http_host != "") {
    set $http_host_with_default $http_host;
  }

  gzip <%= @gzip %>;
  <% if @gzip_enabled %>
  gzip_static on;
  gzip_comp_level <%= @gzip_comp_level %>;
  gzip_http_version <%= @gzip_http_version %>;
  gzip_vary on;
  gzip_disable "msie6";
  gzip_min_length 250;
  gzip_proxied <%= @gzip_proxied %>;
  gzip_types <%= @gzip_types.join(' ') %>;
  <% end %>

  ## https://github.com/gitlabhq/gitlabhq/issues/694
  ## Some requests take more than 30 seconds.
  proxy_read_timeout      <%= @proxy_read_timeout %>;
  proxy_connect_timeout   <%= @proxy_connect_timeout %>;
  proxy_redirect          off;
  <% if @custom_error_pages %>
  proxy_intercept_errors on;
  <% end %>
  proxy_http_version 1.1;

  <% @proxy_set_headers.each do |header| %>
  <% next if header[1].nil? || header[1].empty? %>
  proxy_set_header <%= header[0] %> <%= header[1] %>;
  <% end %>

  location ~ (<%= @request_buffering_off_path_regex %>) {
    proxy_cache off;
    proxy_pass http://gitlab-workhorse;
    proxy_request_buffering off;
  }

  location ~ ^/api/v\d {
    proxy_cache off;
    proxy_pass http://gitlab-workhorse;
    proxy_intercept_errors off;
    <% if @proxy_custom_buffer_size -%>
    proxy_buffers 8 <%= @proxy_custom_buffer_size %>;
    proxy_buffer_size <%= @proxy_custom_buffer_size %>;
    <% end -%>
  }

  <% if node['gitlab_kas']['enable'] -%>
  location = <%= File.join(@path, '-/kubernetes-agent/') %> {
    proxy_pass http://<%= node['gitlab_kas']['listen_address'] %>/;
    proxy_intercept_errors off;
  }

  location <%= File.join(@path, '-/kubernetes-agent/k8s-proxy/') %> {
    proxy_pass http://<%= node['gitlab_kas']['kubernetes_api_listen_address'] %>/;
    proxy_buffering off;
    proxy_intercept_errors off;
  }
  <% end -%>

  # health checks configuration
  include <%= @gitlab_health_conf %>;

  <% if @letsencrypt_enable %>
  location /.well-known/acme-challenge/ {
    root <%= @dir %>/www/;
  }
  <% end %>

  location <%= @path %> {
    proxy_cache off;
    proxy_pass  http://gitlab-workhorse;
    <% if @proxy_custom_buffer_size -%>
    proxy_buffers 8 <%= @proxy_custom_buffer_size %>;
    proxy_buffer_size <%= @proxy_custom_buffer_size %>;
    <% end -%>
  }

  location <%= File.join(@path, 'assets') %> {
    add_header X-Content-Type-Options nosniff;
    proxy_cache <%= @proxy_cache %>;
    proxy_pass  http://gitlab-workhorse;
  }

  <% errors = Nginx.parse_error_pages %>
  <% errors.each do |err, location| %>
  error_page <%= err %> /<%= location %>;
  <% end %>
  location ~ ^/(<%= errors.keys.join('|') %>)(-custom)?\.html$ {
    root <%= GitlabRails.public_path %>;
    internal;
  }

  <%= @custom_gitlab_server_config %>
} ## end HTTPS server
